In formal comments to the California Public Utility Commission, EPIC said that utility customers should control the use of personal information generated by Smart Grid services. EPIC warned that companies will otherwise use the data for purposes not related to electricity delivery, consumption management, or payment. EPIC urged the California Commission to include a requirement that limits the use of personal data by third party providers offering energy management services. The Commission acknowledged EPIC's March 2010 comments and EPIC's April 2010 comments in the proposed California Smart Grid plan.

EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 1 BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Before the Public Utility Commission Utility Commission Order Instituting Rulemaking to Consider Smart Grid Technologies Pursuant to Federal Legislation and on the Commission’s own Motion to Actively Guide Policy in California’s Development of a Smart Grid System Rulemaking 08-­‐12-­‐009 (Filed December 18, 2008) Comments of the Electronic Privacy Information Center (EPIC) on Proposed Decision Adopting Requirements for Smart Grid Deployment Plans Pursuant to Senate Bill 17 Lillie Coney, Associate Director, coney@epic.org Electronic Privacy Information Center (EPIC) 1718 Connecticut Avenue, NW, Suite 200 Washington, DC 20009 202-­‐483-­‐1140 The Electronic Privacy Information Center (EPIC) would like to thank the California Public Utility Commission for taking a leadership role in the national effort to develop a Smart Grid Deployment Plan. California Senate Bill 17 creates a unique opportunity for the Commission to establish high standards that facilitate Smart Grid adoption that support strong privacy fair information practices and end-­‐to-­‐end security principles. On March 9, 2010 and on April 20, 2010 EPIC filed comments, and a reply to comments with the Commission, which are noted in the proposed decision by the California Public Utility Commission to regulate Smart Grid deployment.1 EPIC greatly appreciates the transparent rulemaking process conducted by the California Public 1 California Public Utility Commission, Proposed Decision, May 21, 2010, available at http://www.cpuc.ca.gov/EFILE/PD/118336.pdf EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 2 Utility Commission and its willingness to hear all voices regarding the issue of Smart Grid deployment. EPIC’s core concerns relate to customer control over the collection, retention, sharing, use and possible reuse of Smart Grid data for purposes not related to electricity delivery, consumption management, or payment for electricity service. We acknowledge that addressing these issues will challenge the Commission as it works to meet the future energy needs of California consumers. Ultimately, the value of the Smart Grid will be the willingness of consumers to participate voluntarily in the applications, services, and technologies designed to make electricity usage more efficient and reliable. Although the Commission has not addressed fully the issue of Smart Grid privacy protection for consumers, we appreciate the “elements of security and privacy” that are addressed in this draft decision.2 We agree with the adoption of uniform Privacy Impact Assessment (PIA) criteria as outlined by the draft Commission’s decision.3 However, EPIC would recommend that the Commission’s final decision include a requirement that all third party customer energy usage management service providers that collection, retain, or use personally identifiable customer electricity usage data should conduct a similar PIA review. At the least, the Commission could in its wisdom add a question “i” under the “Findings of Fact” number 38, regarding Utilities’ Smart Grid deployment plans “pertaining to customers and their usage of electricity and power.”4 EPIC respectfully requests that the Commission direct utilities to reply to the following question: “What provisions will the utility make to assure that the privacy practices outlined by this section will be reflected in their relationship(s) with third party providers offering energy manage services to utility customers?” The replies to this question can further inform the Commission on its plans to address privacy interests of consumers of Smart Grid energy and related services. 2 Proposed Decision at pp. 8-­‐9 3 Proposed Decision pp. 39-­‐40 4 Proposed Decision pp. 110-­‐111 EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 3 The plug and play environment, which may develop as a result of Smart Grid applications and interactive devices are serious challenges to the privacy and security of data collected and the overall security of the grid. If the Commission cannot fully speak to the privacy issue in this decision, EPIC endorses an expedited process for addressing information access and privacy protection regarding Smart Grid data. The Commission correctly states that privacy’s inclusion at the design, development, and implementation phases of the Smart Grid will assure that privacy is an integral part of Smart Grid architecture.5 EPIC thanks the Commission and the contributors to this process who support the fundamental principles for privacy and security that should guide the development of what will be a national project on a scale not rivaled since the construction of the Panama Canal.6 For this reason, EPIC supports the Commission’s position “that a baseline should be undertaken by the utilities.7 EPIC would also recommend that the final “Order” of the Commissions Decision include a requirement for a model baseline for an optimal Smart Grid Deployment Plan. The State of California has a wealth of academic and research institutions, which may provide excellent collaborative input on the development of a model baseline of this type. A model of an optimal baseline Smart Grid design and implementation strategy can better inform the commission regarding proposed implementations submitted by utilities. This would help to indicate gaps between aspirations and capabilities regarding the best designs and implementation of the first generation of the Smart Grid. This will also allow for scheduling and planning around improvements to the Smart Grid that would avoid reliance upon system failures to push innovation or problems solving.8 5 Proposed Decision at pp. 9 6 David McCullough, Path Between the Seas: The Creation of the Panama Canal, (1974) 7 Proposed Decision at pp. 38 8 Richard Simon, Betina Boxall and Margot Roosevelt, Gulf oil spill figures may be double earlier estimates, Los Angeles Times, June 10, 2010 EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 4 The Commission recommendation that the California Smart Grid deployment plan should be informed by the security components of the NIST framework is important, but EPIC would suggest that the Commission view the NIST document as a floor and not a ceiling.9 The Smart Grid will be an extremely complex system, which could have an organic nature similar to the Internet. It is likely that absent a full standards development process an environment will develop around the Smart Grid infrastructure that introduces vulnerabilities as applications and technologies are deployed absent a consistent and rigorous process to benchmark end-­‐to-­‐end trustworthiness.10 Privacy protection is essential to the successful implementation of the Smart Grid. There can be security without privacy, but there can be no privacy without security. EPIC is ready and willing to assist the California Public Utility Commission as it seeks to develop robust privacy policies that are bolstered by security applications and services, which support consumer control over their electricity usage data. EPIC thanks the California Public Utility Commission for its dedication to protect the rights of consumers, which can have positive implications for Smart Grid deployment nationally. Strong privacy leadership at this pivotal point of Smart Grid implementation may make the critical difference in establishing benchmarks and standards that can protect privacy, the integrity of the grid and the energy security of electricity consumers. Sincerely, /s/Lillie Coney __________________________________________ Lillie Coney, Associate Director EPIC June 10, 2010 9 Proposed Decision at pp. 56-­‐60 10 Department of Homeland Security, A Roadmap for Cybersecurity Research, pp. 1 available at http://www.cyber.st.dhs.gov/docs/DHS-­‐Cybersecurity-­‐Roadmap.pdf EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 5 CERTIFICATE OF SERVICE I Lillie Coney, hereby certify that, pursuant to the Commission’s Rules of Practice and Procedure, I have this day served a true copy of this document, Comments of the Electronic Privacy Information Center (EPIC) on Proposed Decision Adopting Requirements for Smart Grid Deployment Plans Pursuant to Senate Bill 17, on all parties identified on the attached official service list for Proceedings R08-­‐12-­‐009. Service was completed by serving an electronic copy on their email addresses and by mailing paper copies to parties without e-­‐mail addresses as outlined by the California Public Utility’s rules of service regarding comments in official proceedings. Executed on June 10, 2010, at Washington, DC. /s/Lillie Coney Lillie Coney, Associate Director Electronic Privacy Information Center (EPIC) 1718 Connecticut Avenue, NW Suite 200 Washington, DC 20009EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 6 R-­‐08-­‐12-­‐009 SERVICE LIST http://docs.cpuc.ca.gov/published/service_lists/R0812009_78228.htm (June 10, 2010) carlgustin@groundedpower.com jeffrcam@cisco.com dbrenner@qualcomm.com coney@epic.org cbrooks@tendrilinc.com npedersen@hanmor.com slins@ci.glendale.ca.us douglass@energyattorney.com xbaldwin@ci.burbank.ca.us kris.vyas@sce.com ATrial@semprautilities.com lburdick@higgslaw.com liddell@energyattorney.com mshames@ucan.org ctoca@utility-savings.com bobsmithttl@gmail.com mtierney-lloyd@enernoc.com ed@megawattsf.com mterrell@google.com mdjoseph@adamsbroadwell.com elaine.duncan@verizon.com pickering@energyhub.net margarita.gutierrez@sfgov.org lms@cpuc.ca.gov fsmith@sfwater.org srovetti@sfwater.org tburke@sfwater.org lettenson@nrdc.org marcel@turn.org mkurtovich@chevron.com cjw5@pge.com keith.krom@att.com nes@a-klaw.com pcasciato@sbcglobal.net steven@sfpower.org tien@eff.org mgo@goodinmacbride.com mday@goodinmacbride.com ssmyers@worldnet.att.net lex@consumercal.org farrokh.albuyeh@oati.net Service@spurr.org wbooth@booth-law.com lencanty@blackeconomiccouncil.org jwiedman@keyesandfox.com kfox@keyesandfox.com gmorris@emf.net robertginaizda@gmail.com aaron.burstein@gmail.com dkm@ischool.berkeley.edu longhao@berkeley.edu jlynch@law.berkeley.edu kerry.hattevik@nrgenergy.com rquattrini@energyconnectinc.com seboyd@tid.org martinhomec@gmail.com dzlotlow@caiso.com dennis@ddecuir.com scott.tomashefsky@ncpa.com jhawley@technet.org lnavarro@edf.org Lesla@calcable.org cbk@eslawfirm.com gstaples@mendotagroup.net jlin@strategen.com MNelson@MccarthyLaw.com EGrizard@deweysquare.com r.raushenbush@comcast.net tam.hunt@gmail.com john.quealy@canaccordadams.com mark.sigal@canaccordadams.com barbalex@ctel.net crjohnson@lge.com julien.dumoulin-smith@ubs.com david.rubin@troutmansanders.com jennsanf@cisco.com marybrow@cisco.com jmccarthy@ctia.org jay.birnbaum@currentgroup.com bboyd@aclaratech.com bob.rowe@northwestern.com monica.merino@comed.com sthiel@us.ibm.com ed.may@itron.com rgifford@wbklaw.com leilani.johnson@ladwp.com jorgecorralejo@sbcglobal.net dschneider@lumesource.com david@nemtzow.com cjuennen@ci.glendale.us mark.s.martinez@sce.com case.admin@sce.com EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 7 enriqueg@greenlining.org nquan@gswater.com Jcox@fce.com esther.northrup@cox.com kfoley@sempra.com kmkiener@cox.net djsulliv@qualcomm.com rwinthrop@pilotpowergroup.com CentralFiles@semprautilities.com jon.fortune@energycenter.org sephra.ninow@energycenter.org tcahill@semprautilities.com cmanson@semprautilities.com jerry@enernex.com traceydrabant@bves.com peter.pearson@bves.com dkolk@compenergy.com ek@a-klaw.com rboland@e-radioinc.com sue.mara@rtoadvisors.com juan.otero@trilliantinc.com mozhi.habibi@ventyx.com faramarz@ieee.org mandywallace@gmail.com norman.furuta@navy.mil kgrenfell@nrdc.org mcarboy@signalhill.com nsuetake@turn.org bfinkelstein@turn.org andrew_meiman@newcomb.cc ayl5@pge.com regrelcpuccases@pge.com DNG6@pge.com fsc2@pge.com filings@a-klaw.com Kcj5@pge.com mpa@a-klaw.com rcounihan@enernoc.com stephen.j.callahan@us.ibm.com tmfry@nexant.com info@tobiaslo.com bcragg@goodinmacbride.com bdille@jmpsecurities.com cassandra.sweet@dowjones.com jscancarelli@crowell.com jas@cpdb.com joshdavidson@dwt.com nml@cpdb.com SDHilton@stoel.com michael.backstrom@sce.com suzannetoller@dwt.com Diane.Fellman@nrgenergy.com cem@newsdata.com lisa_weinzimer@platts.com prp1@pge.com achuang@epri.com caryn.lai@bingham.com epetrill@epri.com ali.ipakchi@oati.com chris@emeter.com sharon@emeter.com ralf1241a@cs.com mike.ahmadi@Granitekey.com sean.beatty@mirant.com john_gutierrez@cable.comcast.com lewis3000us@gmail.com Valerie.Richardson@us.kema.com nellie.tong@us.kema.com Douglas.Garrett@cox.com rstuart@brightsourceenergy.com mrw@mrwassoc.com cpucdockets@keyesandfox.com dmarcus2@sbcglobal.net rschmidt@bartlewells.com RobertGnaizda@gmail.com jurban@law.berkeley.edu kco@kingstoncole.com philm@scdenergy.com j_peterson@ourhomespaces.com joe.weiss@realtimeacs.com michaelboyd@sbcglobal.net bmcc@mccarthylaw.com sberlin@mccarthylaw.com mary.tucker@sanjoseca.gov tomk@mid.org joyw@mid.org brbarkovich@earthlink.net gayatri@jbsenergy.com dgrandy@caonsitegen.com demorse@omsoft.com martinhomec@gmail.com e-recipient@caiso.com hsanders@caiso.com jgoodin@caiso.com wamer@kirkwood.com tpomales@arb.ca.gov brian.theaker@dynegy.com danielle@ceert.org EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 8 katienelson@dwt.com jmcfarland@treasurer.ca.gov shears@ceert.org kellie.smith@sen.ca.gov lkelly@energy.state.ca.us mgarcia@arb.ca.gov ro@calcable.org steven@lipmanconsulting.com lmh@eslawfirm.com abb@eslawfirm.com bsb@eslawfirm.com glw@eslawfirm.com jparks@smud.org ljimene@smud.org ttutt@smud.org vzavatt@smud.org vwood@smud.org dan.mooy@ventyx.com kmills@cfbf.com rogerl47@aol.com jellis@resero.com michael.jung@silverspringnet.com wmc@a-klaw.com bschuman@pacific-crest.com sharon.noell@pgn.com californiadockets@pacificorp.com ag2@cpuc.ca.gov agc@cpuc.ca.gov am1@cpuc.ca.gov crv@cpuc.ca.gov df1@cpuc.ca.gov dbp@cpuc.ca.gov trh@cpuc.ca.gov fxg@cpuc.ca.gov gtd@cpuc.ca.gov jw2@cpuc.ca.gov jdr@cpuc.ca.gov jmh@cpuc.ca.gov kar@cpuc.ca.gov kd1@cpuc.ca.gov lau@cpuc.ca.gov zaf@cpuc.ca.gov mjd@cpuc.ca.gov mc3@cpuc.ca.gov wtr@cpuc.ca.gov rhh@cpuc.ca.gov srt@cpuc.ca.gov scr@cpuc.ca.gov tjs@cpuc.ca.gov wmp@cpuc.ca.gov BLee@energy.state.ca.us ab2@cpuc.ca.gov EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 9 vjb@cpuc.ca.gov Communication Sent By FIRST CLASS U.S. Mail Harold Galicer Seakay, Inc PO Box 78192 San Francisco, CA94107 Mark Schaeffer GRANITEKEY, LLC GraniteKey, LLC 1295 Heather Lane Livermore, CA 94551 Kevin Anderson UBS Investment Research 1285 Avenue of the Americas New York, NY 10019 Matt McCaffree OPOWER 1515 North Courthouse Road Sixth Floor Arlington, VA 22201 Jim Sueuga Valley Electric Association P.O. Box 237 Pahrump, NV 89041 Phil Jackson System Engineer Valley Electric Association 800 E. HWY 372 PO BOX 237 Pahrump, NV 89041 Megan Kuize Dewey & Lebouf 1950 University Circle, Suite 500 East Palo Alto, CA 94303 David Kates David Mark & Company 3510 Unocal Place, Suite 200 Santa Rosa, CA 95403 EPIC Reply to Proposed Decision California Public Utility Commission June 10, 2010 10 Jessica Nelson Energy Services Manager Plumas Sierra Rural Electric Coop 73233 State Route 70 Portola, CA 96122-­‐7069

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

- hide

Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.